If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Bat/Mumu Worm Picking Up Steam

This virus / worm is actually a couple weeks old, but it seems to be picking up steam. More reports are coming in about infected machines. Here is some info:

This worm uses a set of batch files, a few utility programs, and a trojan to spread. It simply copies a set of many different files to target systems, and remotely executes a batch file on that system to spread further. The worm scans for IP addresses to infect, then copies over the various files, and runs again. It does not contain a damaging payload. The worm intends to capture typed keystrokes and send email to a configured address. However, some samples received by AVERT have a key program (PCGhost) replaced with the (nView Desktop Manager). The worm can continue to propagate, spreading this innocent file along the way. PCGhost is a "Potentially Unwanted Program" that monitors system usage, including typed keystrokes, logs this information to a file, and can send the information to a defined email address.

You are turning out to be the resident "harbinger of sorrow" now aren't you?

There should be a competition of who can bring in the most alerts in a specified time. Hmm... maybe someone should ask for that to happen......

Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
- Samuel Johnson

i had oppertunity to take a look at it last week. nice job of NT bat file programming. And from the looks of it, had copied itself onto 23 other machines before an AV update detected hfind.exe.

it automates the net use command and copies all of its files over to the new drive on a successful attempt. it then makes a call to psexec to start the main bat file on the remote machine and continues on it merry way. simple but very affective.

the infected machine was using an att dial-up which set itself up with file and print sharing enabled.